Hi Graham,

The issue you have is due to your locally installed AVG Security product. In order to do a security scan/review of your encrypted connections (web, SMTP, IMAP), AVG works as a man-in-the-middle and is intercepting the connection that Stunnel is trying to do to mail.lopham.co.uk and presenting a certificate signed by a local CA that is unknown to Stunnel. I understand that you can configure AVG to disable this TLS scanning/interception, but most likely you want to keep it enabled and to avoid the failure in Stunnel you must add the local AVG CA root certificate to the file ca-certs.pem, You need to export the cert in PEM format and append it to your ca-certs.pem with a text editor.

See:

https://support.avg.com/SupportArticleView?l=en&urlname=content-products-avg-antivirus-configuringsettings-exportmailshieldcert

Hope this helps.

Regards,

Jose A. Diaz

On Sunday, May 31, 2026 at 01:26:29 AM GMT-5, Graham Jones via stunnel-users <stunnel-users@lists.stunnel.org> wrote:

I'm new to Stunnel.

stunnel 5.78 on x64-pc-mingw32-gnu platform Windows 7 Pro.

During installation, the process walked me through the creation of a

certificate.

I have these settings:

[Lopham-imap]

client = yes

accept = 127.0.0.1:52143

connect = mail.lopham.co.uk:993

CAfile = ca-certs.pem

The connection succeeds.

I add the following lines:

verifyChain = yes

checkHost = mail.lopham.co.uk

OCSPaia = yes

The connection fails with the following lines in the log:

2026.05.30 21:45:52 LOG5[2]: Service [Lopham-imap] accepted connection from

127.0.0.1:51901

2026.05.30 21:45:52 LOG5[2]: s_connect: connected 193.143.227.10:993

2026.05.30 21:45:52 LOG5[2]: Service [Lopham-imap] connected remote server

from 127.0.0.1:51902

2026.05.30 21:45:52 LOG4[2]: CERT: Pre-verification error: certificate not

found in local repository: self-signed certificate in certificate chain

2026.05.30 21:45:52 LOG4[2]: Rejected by CERT at depth=1: OU=generated by

AVG Antivirus for SSL/TLS scanning, O=AVG Web/Mail Shield, CN=AVG Web/Mail

Shield Root

2026.05.30 21:45:52 LOG3[2]: SSL_connect:

tls_post_process_server_certificate@ssl/statem/statem_clnt.c:2124:

error:0A000086:SSL routines::certificate verify failed: client

127.0.0.1:51901

2026.05.30 21:45:52 LOG5[2]: Connection closed/reset: 0 byte(s) sent to TLS,

0 byte(s) sent to socket

I see it finds the self-signed certificate in certificate chain. Why is

this rejected?

Any ideas, please?

Regards,

== Graham

_______________________________________________

stunnel-users mailing list -- stunnel-users@lists.stunnel.org

To unsubscribe send an email to stunnel-users-leave@lists.stunnel.org